Fix sudoers_policy plugin options when sudoers_audit is not listed.

As of sudo 1.9.1 the sudoers file is opened by the audit plugin,
not the policy plugin.  As a result, plugin options set for
sudoers_policy have no effect.  If sudoers_policy has plugin options
in sudo.conf and sudoers_audit is not listed, move the options to
sudoers_audit so they will have an effect.

doc/sudoers.man.in

@@ -72,6 +72,7 @@ plugin, the following configuration can be used.
 .nf
 .sp
 .RS 6n
+Plugin sudoers_audit sudoers.so
 Plugin sudoers_policy sudoers.so
 Plugin sudoers_io sudoers.so
 .RE
@@ -84,15 +85,27 @@ Starting with
 plugin in the
 sudo.conf(@mansectform@)
 file.
-These arguments, if present, should be listed after the path to the plugin
+Plugin arguments, if any, should be listed after the path to the plugin
 (i.e., after
 \fIsudoers.so\fR).
+The arguments are only effective for the plugin that opens (and parses) the
+\fIsudoers\fR
+file.
+.PP
+For
+\fBsudo\fR
+version 1.9.1 and higher, this is the
+\fIsudoers_audit\fR
+plugin.
+For older versions, it is the
+\fIsudoers_policy\fR
+plugin.
 Multiple arguments may be specified, separated by white space.
 For example:
 .nf
 .sp
 .RS 6n
-Plugin sudoers_policy sudoers.so sudoers_mode=0400
+Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
 .RE
 .fi
 .PP

doc/sudoers.mdoc.in

@@ -69,6 +69,7 @@ to use the
 .Nm
 plugin, the following configuration can be used.
 .Bd -literal -offset indent
+Plugin sudoers_audit sudoers.so
 Plugin sudoers_policy sudoers.so
 Plugin sudoers_io sudoers.so
 .Ed
@@ -80,13 +81,25 @@ Starting with
 plugin in the
 .Xr sudo.conf @mansectform@
 file.
-These arguments, if present, should be listed after the path to the plugin
+Plugin arguments, if any, should be listed after the path to the plugin
 (i.e., after
 .Pa sudoers.so ) .
+The arguments are only effective for the plugin that opens (and parses) the
+.Em sudoers
+file.
+.Pp
+For
+.Nm sudo
+version 1.9.1 and higher, this is the
+.Em sudoers_audit
+plugin.
+For older versions, it is the
+.Em sudoers_policy
+plugin.
 Multiple arguments may be specified, separated by white space.
 For example:
 .Bd -literal -offset indent
-Plugin sudoers_policy sudoers.so sudoers_mode=0400
+Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
 .Ed
 .Pp
 The following plugin arguments are supported:

src/load_plugins.c

@@ -532,8 +532,18 @@ sudo_load_plugins(struct plugin_container *policy_plugin,
 	 * loaded, load it too, if possible.
 	 */
 	if (!plugin_exists(audit_plugins, "sudoers_audit")) {
-	    (void)sudo_load_sudoers_plugin("sudoers_audit", policy_plugin,
+	    if (sudo_load_sudoers_plugin("sudoers_audit", policy_plugin,
-		io_plugins, audit_plugins, approval_plugins, true);
+		    io_plugins, audit_plugins, approval_plugins, true)) {
+		/*
+		 * Move the plugin options from sudoers_policy to sudoers_audit
+		 * since the audit module is now what actually opens sudoers.
+		 */
+		if (policy_plugin->options != NULL) {
+		    TAILQ_LAST(audit_plugins, plugin_container_list)->options =
+			policy_plugin->options;
+		    policy_plugin->options = NULL;
+		}
+	    }
 	}
     }